Packet tunneling

ABSTRACT

Network devices, systems, and methods are provided for packet processing. One network device includes a network chip having a number of network ports for the device. The network chip includes logic to select original data packets, based on a set of criteria, received from or destined to a particular port on the device and to tunnel the selected data packets to a second network device having a different destination address to that of the selected data packets.

BACKGROUND

Computing networks can include multiple network devices such as routers,switches, hubs, servers, desktop PCs, laptops, and workstations, andperipheral devices, e.g., printers, facsimile devices, and scanners,networked together across a local area network (LAN) and/or wide areanetwork (WAN).

Networks can include an intrusion system (IS), e.g., intrusionprevention system (IPS) and/or intrusion detection system (IDS) thatserves to detect unwanted intrusions/activities to the computer network.Unwanted network intrusions/activities may take the form of attacksthrough computer viruses and/or hackers, misconfigured devices amongothers, trying to access the network. To this end, an IS can identifydifferent types of suspicious network traffic and network device usagethat can not be detected by a conventional firewall. This includesnetwork attacks against vulnerable services, data driven attacks onapplications, host based attacks such as privilege escalation, denial ofservice attacks, port scans, unauthorized logins and access to sensitivefiles, viruses, Trojan horses, and worms, among others.

In previous approaches, to identify suspicious network traffic, datatraffic needs to pass through a point of the network where an IS islocated. As used herein, “IS” is used to indicate intrusion system(s),i.e., both the singular and plural. An IS can include an intrusionprevention system (IPS) and/or intrusion detection system (IDS), etc.Previously an IS would have been deployed solely as a standalone in-linedevice (see, FIG. 2A). More recently, the IS has become a sharedresource local, e.g., integral, to a network device, e.g., integral to aswitch, router, etc. An IDS may be local to a particular network device(see FIG. 2B), however, all network devices in a network may not have anIDS local to the network device. If the IS is not “in-line”, e.g.,between one port and another in a network packet's intended path, thensuspicious activity may not be detected. For large network systems,placing an IS in-line with initial client and/or server attach points,in an intended packet path, can be both expensive to implement and verycomplex to maintain.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an example of a computing device network in which certainembodiments of the invention can be implemented.

FIG. 2A illustrates a previous approach to placing a network appliance,such as an IS, in-line with a network packet's intended path.

FIG. 2B illustrates an approach to placing a network appliance'sfunctionality in a network device, e.g., a switch, such that it isin-line, with a network packet's intended path.

FIG. 3 illustrates various network devices on a network.

FIG. 4 provides an example illustration of bit definitions for an IPpacket, including the fields within an IP and TCP header.

FIG. 5 illustrates a tunnel encapsulation of a packet.

DETAILED DESCRIPTION

Embodiments of the invention may include network devices, systems,methods, and other embodiments, including executable instructions and/orlogic. One embodiment is a network device that includes a network chiphaving a number of network ports for the device. The network chip mayinclude logic to select original data packets received from or destinedto a particular port on the device based on a number of criteria. Insome embodiments, the number of criteria can include, the IP sourceaddress (IP SA), the source port, an IP flow (defined as packet trafficbetween a particular source IP address and a particular destination IPaddress), a media access controller (MAC) source address (MAC SA), amedia access controller (MAC) destination address (MAC DA), the sourceVLAN, a traffic type, etc. In some embodiments, the network chip mayinclude logic to transparently tunnel the selected data packets to asecond network device having a different destination address to that ofthe selected data packets, and back again.

In various embodiments, executable instructions and/or logic, e.g.hardware circuitry on an application specific integrated circuit (ASIC),are provided to receive a network packet, including a media accesscontrol (MAC) destination address, from a port on a first networkdevice. The instructions and/or logic are operative to encapsulate thenetwork packet to secure tunnel the network packet to a second networkdevice having a MAC destination address different from the MACdestination address of the network packet in a manner that istransparent to the packet and client and/or network device as well.

In one embodiment, instructions and/or logic on the second networkdevice can decapsulate the network packet and send the original networkpacket to a network appliance, e.g., an IPS, which is not “in-line” withan original path for the network packet and is unaware that it is notin-line with the original path. The network appliance can executeinstructions to perform any necessary packet processing, e.g., an IPSmay perform security checks on the original packet, and then return theoriginal packet to the second network device. Instructions and/or logicon the second network device can encapsulate the network packet totunnel the network packet back to the first network device. Instructionsand/or logic on the first network device can decapsulate the networkpacket and forward the network packet by making a forwarding decisionbased on its original destination address, e.g., MAC destinationaddress, IP destination address, etc.

In various embodiments, instructions and/or logic can select a networkpacket for encapsulation based on a set of criteria. According to theseembodiments, encapsulating the network packet to secure tunnel thenetwork packet to the second network device is performed withoutrequiring the two network devices to be a part of the same subnet orlayer 2 broadcast domain. As such, these embodiments provide a mechanismto monitor network traffic with fewer “in-line” systems, e.g., one ortwo IS can be used to monitor many ports on the network as compared topreviously deploying numerous in-line systems or requiring that alltraffic from lower devices be sent (as part of the normal trafficforwarding process) through the few network devices with IS attached.

As used herein, a network can provide a communication system that linkstwo or more computers and peripheral devices, and allows users to accessresources on other computers and exchange messages with other users. Anetwork allows users to share resources on their own systems with othernetwork users and to access information on centrally located systems orsystems that are located at remote offices. It may provide connectionsto the Internet or to the networks of other organizations. Users mayinteract with network-enabled software applications to make a networkrequest, such as to get a file or print on a network printer.Applications may also communicate with network management software,which can interact with network hardware to transmit information betweendevices on the network.

Although reference is often made to network switches in this disclosure,those skilled in the art will realize that embodiments of the inventionmay be implemented in other network devices. Examples of other networkdevices include, but are not limited to, wireless and/or wired routers,switches, hubs, bridges, etc., e.g., intelligent network devices havingprocessor and memory resources.

FIG. 1 illustrates an embodiment of a computing device network 100. Asshown in FIG. 1, a number devices can be networked together in a LANand/or WAN via routers, hubs, switches and the like. As used herein a“network device” means a switch, router, hub, bridge, etc., e.g., adevice having processor and memory resources and connected to a network100, as the same will be understood by one of ordinary skill in the art.Although the term switch will often be used in this disclosure, thoseskilled in the art will realize that embodiments may be implemented withother network devices. As the reader will appreciate, the term networkdevice can also be used to refer to servers, PCs, etc., as illustratedfurther below.

The example network of FIG. 1 illustrates a print server 110-1 to handleprint jobs for the network 100, a mail server 110-2, a web server 110-3,a proxy server (firewall) 110-4, a database server 110-5, an intranetserver 110-6, an application server 110-7, a file server 110-8, and aremote access server (dial up) 110-9. The examples described here do notprovide and exhaustive list of servers that may be used in a network.

The embodiment of FIG. 1 further illustrates a network managementstation 112, e.g., a server, PC and/or workstation, a number of “fat”clients 114-1, . . . , 114-N which can also include PCs and workstationsand/or laptops, and a number of “thin” clients 115-1, . . . , 115-M. Asused herein a “thin client” can refer to a computing device thatperforms little or no application processing and functions more as aninput/output terminal. That is, in this example, a thin client generallyrelies on the application processing being performed on a servernetworked thereto. Additionally, a thin client can include a client in aserver/client relationship which has little or no storage, as the samewill be understood by one of ordinary skill in the art. In contrast, a“fat client” is generally equipped with processor and memory resources,to perform larger application processing and/or storage.

The designators “N” and “M” are used to indicate that a number of fat orthin clients can be attached to the network 100. The number that Nrepresents can be the same or different from the number represented byM. The embodiment of FIG. 1, illustrates that all of these examplenetwork devices can be connected to one another and/or to other networksvia routers, 116-1, 116-2, 116-3, and 116-4, and hubs and/or switches118-1, 118-2, 118-3, 118-4, and 118-5, as the same are known andunderstood by one of ordinary skill in the art. The term “network” asused herein is not limited to the number and/or quantity of networkdevices illustrated in FIG. 1.

As one of ordinary skill in the art will appreciate, many of the networkdevices (e.g., switches 118-1, 118-2, 118-3, 118-4, 118-5 and/or hubs)can include a processor in communication with a memory and will includenetwork chips having logic, e.g., application specific integratedcircuits (ASICs), and a number of network ports associated with suchlogic. By way of example and not by way of limitation, the networkmanagement station 112 includes a processor and memory. Embodiments ofthe various devices in the network are not limited to a number of ports,network chips and/or the type or size of processor or memory resources.

Additionally as the reader will appreciate, a number of mobile devices,e.g., wireless device 121, can connect to the network 100 via a wirelessair interface (e.g., 802.11) which can provide a signal link between themobile device 121 and an access point (AP) 119. The AP 119 serves asimilar role to the base station in a wireless network, as the same willbe known and understood by one of ordinary skill in the art. As shown inFIG. 1, the AP 119 can be linked to an access point controller (APC)123, as the same will known and understood by one of ordinary skill inthe art, which connects the AP 119 over a packet switched signal link,e.g. an Ethernet link, to other network devices, e.g., router 116-1.

As one of ordinary skill in the art will appreciate, each network devicein the network 100 can be physically associated with a port of a switchto which it is connected. Information in the form of network packets,e.g., data packets can be passed through the network 100. Usersphysically connect to the network through ports on the network 100. Dataframes, or packets, can be transferred between network devices by meansof a network device's, e.g., switch's, logic link control (LLC)/mediaaccess control (MAC) circuitry, or “engines”, as associated with portson a network device. A network switch forwards network packets receivedfrom a transmitting network device to a destination network device basedon the header information in received network packets. A network devicecan also forward packets from a given network to other networks throughports on one or more other network devices. As the reader willappreciate an Ethernet network is described herein. However, embodimentsare not limited to use in an Ethernet network, and may be equally wellsuited to other network types, e.g., asynchronous transfer mode (ATM)networks, etc.

As discussed herein, networks can include an intrusion system (IS) thatserves to detect and/or evaluate suspicious activity on the computernetwork, e.g., network 100. In previous approaches an IS would be placedin-line or within a network device on a network packet's intended path.To protect edge ports the IS would have to be located between clientsand the ports of the edge network device (defined in connection withFIG. 3) or within the edge network devices, e.g., edge switches,routers, hubs, etc., and operate in cooperation with a network packetsintended path. In this approach many IS would have to be deployed in thenetwork.

FIG. 2A is a portion of a network such as network 100 shown in FIG. 1.FIG. 2A illustrates a previous approach to placing a network appliance,such as an IS, in-line with a network packet's intended path. FIG. 2Aillustrates a number of network devices, 218-1, . . . , 218-N, e.g.,switches, networked together to connect network traffic, e.g., datapackets, between devices in the network. The network traffic may movefrom a one client , e.g., 214-1, . . . , 214-M, to another (source todestination) through a number of network devices. As shown in theembodiment of FIG. 2A a network appliance 240, such as an IS, is locatedin-line in a network packet's intended path, connected between one porton transmitting (source) network device, e.g., client 214-M, and anotherport, e.g., a port on switch (S1) 218-1 on the network packet's intendedpath to other network devices, e.g., switch 218-1, to a destinationnetwork device, e.g., client 214-1.

FIG. 2B illustrates an approach to placing a network appliance'sfunctionality 240 in a network device, e.g., switch 218-1, within, e.g.,in-line, with a network packet's intended path. In the example of FIG.2B, the network appliance's functionality 240 is located as software,hardware, and/or application tool, e.g., as executable instructionsand/or logic, within the switch 218-1 which is along a network packet'sintended path between a transmitting (source) network device, e.g.,client 214-M, and port(s) of a destination network device, e.g., client214-1.

As used herein, the term “network appliance” is used to mean an add-ondevice, e.g., “plug-in” or “application module” (as defined below), to anetwork as contrasted with a “network device”, e.g., router, switch,and/or hub, etc., which are sometimes considered more as “backbone”component devices to a network. As the reader will appreciate, a networkappliance, e.g., 240 can include processor and memory resources capableof storing and executing instructions to perform a particular role orfunction. A network appliance can also include one or more network chips(e.g., ASICs) having logic and a number of ports, as the same will beknown and understood by one of ordinary skill in the art.

In various embodiments, the network appliance 240 serves as a checkingfunctionality and can be in the form of an intrusion prevention system(IPS), as may be supplied by a third party vendor of network securitydevices. In certain embodiments, the network appliance 240 can be anintrusion detection system (IDS), or another diagnostic device,accounting device, counting device, etc., as may be supplied by a thirdparty vendor. Embodiments are not limited to the examples given here.The various operations of such different checking functionalities areknown and understood by one of ordinary skill in the art.

As the reader will appreciate a network appliance 240, e.g., IS (IPSand/or IDS), can be provided as a program or routine stored in memoryand executed on a processor or by logic in association with a networkdevice. An IS can perform functionality to detect suspicious activity,such as denial of service attacks, port scans and attempts to manipulatenetwork devices, by examining network traffic associated with multiplenetwork devices. An IS may do so by reading the incoming and outgoingdata packets from a port and performing analyses to identify suspiciousdata and/or traffic patterns. In some instances, when an IS becomesaware of a potential security breach, it logs the information and cansignal an alert to a threat mitigation engine, as the same will beunderstood by one of ordinary skill in the art. An IS may respond tosuspicious activity by dropping suspicious packets, resetting aconnection and/or by programming a firewall to block network trafficfrom a suspicious source. In various IS this may happen automatically orat the command of a network user such as an information technology (IT)administrator.

IS are not limited to inspecting incoming network traffic. Ongoingintrusions can be learned from outgoing or local traffic as well. Someundesirable activity may even be staged from the inside of a network ornetwork segment, and hence the suspicious activity may not be incomingtraffic at all. An IS may watch for suspicious activity by examiningnetwork communications, identifying heuristics and patterns (often knownas signatures) of known suspicious activity types, and providing analert or taking action when they occur.

As noted above, in previous approaches, in order to fully cover anetwork an IS would have to be located in-line with network packettraffic. An IS in-line with edge ports could similarly perform theactions described above. Effectively, however, each edge network devicewould need an IS statically positioned in-line for monitoring networkdata traffic through the edge ports. For large network systems, havingan IS, or other desirable network appliance, in-line at each edgenetwork device to cover network packet traffic through its ports isexpensive and complex to maintain.

Embodiments of the present disclosure, in contrast, include networkdevices, systems, and methods, having executable instructions and/orlogic, to tunnel packets on a network. As described next in connectionwith FIG. 3, embodiments include a network device that includes anetwork chip having a number of network ports for the device. Thenetwork chip includes logic to select original data packets receivedfrom or destined to a particular port on the device, based on the numberof criteria, and to tunnel the selected data packets to a second networkdevice different from a destination address of the selected datapackets.

According to embodiments, network devices being monitored do not eachhave to include an in-line network appliance, e.g., in-line IS. That is,rather than having an IS at each of the network devices, or achievingless than full network coverage, embodiments of the present disclosureprovide an IS at a selected location, or locations, which can be used toreceive tunneled, selected data packets to assess data traffic anomaliesassociated with packets that are not ordinarily passing through ports ona network device associated with the IS.

As the reader will appreciate, various embodiments described herein canbe performed by software, application modules, application specificintegrated circuit (ASIC) logic, and/or executable instructions operableon the systems and devices shown herein or otherwise. “Software”, asused herein, includes a series of executable instructions that can bestored in memory and executed by the hardware logic of a processor(e.g., transistor gates) to perform a particular task. Memory, as thereader will appreciate, can include random access memory (RAM), readonly memory (ROM), non-volatile memory (such as Flash memory), etc.

An “application module” means a self-contained hardware or softwarecomponent that interacts with a larger system. As the reader willappreciate a software module may come in the form of a file and handle aspecific task within a larger software system. A hardware module may bea separate set of logic, e.g., transistor/circuitry gates, that“plug-in” as a card, appliance, or otherwise, to a larger system/device.

Embodiments of the present invention, however, are not limited to anyparticular operating environment or to executable instructions writtenin a particular language or syntax. Software, application modules and/orlogic, suitable for carrying out embodiments of the present invention,can be resident in one or more devices or locations or in severaldevices and/or locations in a network. That is, the embodiments of thepresent disclosure may be implemented in a stand-alone computing systemor a distributed computing system. A “distributed computing network”means the use of multiple computing devices in a network to executevarious roles in executing instructions, e.g., application processing,etc. As such, FIGS. 3-5 are intended to provide a context for thedescription of the functions and operations of embodiments of thepresent invention. The functions and operations described herein may beperformed in one or more of the network devices described herein.

FIG. 3 illustrates a portion 300 of a network, e.g., network 100 shownin FIG. 1, including embodiments of various network devices, 318-1,318-2, . . . , 318-N suited to implement techniques of the presentdisclosure. Certain devices are referred to as “edge network devices”and other network devices are referred to as “central network devices”.As used herein, “edge network devices” means network devices, e.g.,318-1, having ports connected directly to network clients, 315 and314-1, . . . 314-F. The network clients can include servers, “fat” and“thin” clients, including mobile network clients connected through anAPC, etc., as discussed above in connection with FIG. 1. As used herein,“central network devices” means network devices, e.g., 318-3, which areconnected to other network devices, e.g., 318-2, but which are notconnected directly to network clients, 315 and 314-1, . . . 314-F, 121,etc.

As described in connection with FIG. 1, the various network devices,318-1, 318-2, . . . 318-N, can include switches, routers, hubs, etc.(shown as switches in FIG. 3). Such network devices, 318-1, 318-2, . . .318-N, can include processor(s), e.g., 336-1, . . . 336-N, and memory,e.g., 338-1, . . . , 338-N, resources. The network devices, 318-1,318-2, . . . 318-N, can similarly include a number of network chips,e.g., 340-1, . . . , 340-N, including logic circuitry (hardware) whichcan execute instructions and/or logic and each network chip, 340-1, . .. , 340-N, can include a number of network ports, 320-1, 320-2, . . . ,320-P to send and receive data packets (network traffic) throughout thenetwork 300. As mentioned above, the logic circuitry of the number ofnetwork chips, e.g., 340-1, . . . , 340-N, can be in the form of anapplication specific integrated circuit (ASIC) and include logic toserve as a media access controller (MAC).

As shown in FIG. 3, a number of ports 320-1, 320-2, . . . , 320-P can beincluded on a network chip 340-1, . . . , 340-N and have access to logiccircuitry associated with a network chip 340-1, . . 340-N and to theprocessor 336-1, . . . , 336-N and memory 338-1, . . . , 338-N. Acrossbar, crosslink, and/or switching fabric 339-1, . . . , 339-N, asthe same will be understood by one of ordinary skill in the art, canconnect multiple ports 320-1, 320-2, . . . , 320-P between chips 340-1,. . . , 340-N. As used herein, the designators “N”, “F” and “P” are usedto illustrate that various networks can have a various number of networkdevices, various numbers of network clients, and various network devicesin a network may support or contain a various and/or different number ofports. Embodiments are not limited to the example shown in FIG. 3.

As shown in the embodiment of FIG. 3, a network appliance 350 can beconnected to a network device, e.g., 318-3, which may be a centralnetwork device. The network appliance 350 could also be a part of switch318-3. As used herein, the term “network appliance” is used to intend anadd-on, e.g., “plug-in”, device to a network 300 as contrasted with a“network device” intending a device such as a router, switch, and/orhub, etc., which are sometimes considered more as “backbone” componentdevices to a network. As shown in FIG. 3, the network appliance 350 caninclude processor 351 and memory 352 resources capable of storing andexecuting instructions to perform a particular role or function. Thenetwork appliance can also include one or more chips (ASICs), e.g., 353,having logic and a number of ports 354, as the same have been describedabove.

In various embodiments, the network appliance 350 is an intrusionprevention system (IPS), as may be supplied by a third party vendor ofnetwork security devices. In various embodiments, the network appliance350 can be an intrusion detections system (IDS), another diagnosticdevice, an accounting device, a counting device, etc., as may besupplied by a third party vendor. Embodiments are not limited to theexamples given here. Further, the various operations of such deviceswill be recognized and understood by one of ordinary skill in the art.

In the embodiment of FIG. 3, a network packet, e.g., data packet, isreceived from a port, e.g., 320-1, on a network device, e.g., switch318-1, from a network client, e.g., 315. According to variousembodiments, executable instructions and/or logic on the switch 318-1,e.g., instructions and/or logic associated with the hardware of thenetwork chip 340-1, can select original data packets, such as originalpacket 501 shown in FIG. 5, which are received from or destined to aparticular port, e.g., 320-1, on the device 318-1. Instructions and/orlogic are executed by the network chip, e.g., 340-1, to tunnelencapsulate selected data packets at layer 2. That is, the entire layer2 packet is encapsulated. In this manner, the network packet can beencapsulated to secure tunnel the network packet without using thenormal forwarding logic employed, e.g., examination of the networkpacket's destination MAC, IP addresses, etc. According to embodiments,the packet is tunnel encapsulated in a manner that is transparent to thenetwork packet. That is, instructions and/or logic execute to “steal”the packet to another location unbeknownst to normal packet forwardinglogic/rules. Encapsulation of the network packet is described further inconnection with FIG. 5.

According to various embodiments, the selected data packets are tunnelencapsulated to tunnel (e.g., “steal”) the selected data packets to asecond network device, which may be a central network device, e.g.,switch (S3) 318-3, having a location different (e.g., remote) from anoriginal MAC destination address, e.g., MAC destination address (MAC_DA)560 as shown in FIG. 5, of the selected data packets. That is, theselected data packets are sent via a secure tunnel to the second networkdevice, e.g., 318-3, rather than forwarding the selected data packets totheir original MAC destination address (506 in FIG. 5). As used hereinthe term “steal” versus “copying” and/or “mirroring” is intended to meanactually forwarding a network packet to a destination different from itsintended network path.

FIG. 4 provides an example illustration of bit definitions for an IPpacket, including the fields within an IP header 400, e.g., layer 3header (L3), and TCP header 401, e.g., layer 4 header (L4). As describedabove in connection FIG. 3, network traffic in the form of packetsincluding headers 400 and 401 can be received from and/or destined toports on a network device, e.g., 318-1, 318-2, . . . 318-N, such as aswitch or router, and can be examined by instructions and/or logic inconnection with the logic link control (LLC)/ media access control(MAC), or higher layer circuitry associated with the ASIC of a networkchip, 340-1, . . . , 340-N. Although various embodiments are describedwith reference to TCP/IP protocol, one of ordinary skill in the art willappreciate that embodiments are not limited to this example description.That is, packets which are not TCP or even IP may be parsed for fieldswhich are relevant to the particular protocol in use. It is also notedthat both the IP and the TCP headers may include optional “options”field making them variable in size, as the same will be known andunderstood by one of ordinary skill in the art.

In various embodiments, the instructions and/or logic can extractinformation from the various fields of packet headers, e.g., header 400,401, and/or MAC header, e.g., layer 2 header (L2) (shown as 500 in FIG.5), which can be used for purposes such as determining whether packetscorrespond to the number of criteria, e.g., the source IP address 420,the source port 450, the source VLAN 470, etc. Additionally, theinstruction can monitor, based on the IP flow, those packets which meetthe criteria by extracting information from the various fields of the IPheader which correspond to the IP flow, i.e., the IP source address 420and the IP destination address 440.

FIGS. 4 and 5 illustrates the numerous header fields that can examinedby instructions and/or logic on the network device 318-1, 318-2, . . .318-N either at the layer 2 data link (MAC) layer or at the layer 3network (IP) layer or at the layer 4 transport (TCP) layer, or at alayer above the TCP/IP protocol stack, as the same will be recognized byone of ordinary skill in the art. As shown in FIGS. 4 and 5, this TCP/IPheader information includes a protocol field 430, a source IP address(IP SA) field 420, a destination IP address (IP DA) field 440, a sourceTCP/UDP port field 450, and a destination TCP/UDP port field 460, etc.

In various embodiments, the selected data packets are tunnelencapsulated to secure tunnel the network packet without using regularforwarding logic. In various embodiments, the instructions and/or logiccan select original data packets according to a set of criteria whichmay be hard coded into the logic of the network chip, e.g., 340-1. Theset of criteria can include information associated with a particularpacket and/or particular port or network device selected from the groupof packets, (IP) flows, network ports, VLAN membership, MAC SA, MAC DA,etc. In various embodiments, the instructions and/or logic can tunnelthe selected data packets to the second network device over a securetunnel 321-1. One of ordinary skill in the art will appreciate themanner in which a secure tunnel 321 can be realized by executinginstructions and/or logic to form the secure tunnel between two networkdevices, e.g., 318-1 and 318-3. More detail is not provided here so asto not obscure embodiments of the present invention.

According to embodiments, the second network device 318-3 includeslogic, e.g., logic on network chip 340-3, to decapsulate the selecteddata packets, e.g., to decapsulate encapsulated packet 503 shown in FIG.5, and to send the original data packets, e.g., 501 in FIG. 5, to anetwork appliance 350. In various embodiments, the second network device318-3, e.g., central network device, can include logic to forward thedecapsulated packet, e.g., original data packet 501, to the networkappliance 350 based on addresses within the encapsulation headers 510.That is, logic can choose to forward the decapsulated packet based onthe MAC DA 520 within the encapsulation headers 510. or on anycombination of the fields in the encapsulation header 510, such as IPsource address (IP SA), IP destination address (IP DA) (analogous to 420and 440 as shown in FIG. 4) within the IP encapsulation header 514, IPprotocol (analogous to 430 as shown in FIG. 4) contained in the IPencapsulation header 514. The logic can also identify a key fieldcontained within the encapsulation header 512, etc. In addition, theencapsulation IP header 514 may also include an authentication field,e.g., authentication information, to guarantee the authenticity of theaforementioned addresses.

As described above, the network appliance 350 can include processor 351and memory 352 resources as well as hardware logic (ASIC) 353 andassociated ports 354, as the same has been described herein, to operateon original data packets received from the second network device 318-3.As mentioned above, the network appliance 350 can include a networkappliance 350 which is an IPS, supplied by a third party vendor ofnetwork security devices or otherwise. In various embodiments, thenetwork appliance 350 can be an intrusion detections system (IDS),another diagnostic device, an accounting device, a counting device,etc., as may be supplied by a third party vendor or otherwise.Embodiments for network appliance 350 are not limited to the examplesgiven here. The various operations of such devices will be recognizedand understood by one of ordinary skill in the art.

In various embodiments, the second network device 318-3 includesinstructions and/or logic which executes to tunnel encapsulate originaldata packets, e.g., packet 501 in FIG. 5, returned from the networkappliance 350 and to tunnel, e.g., via return tunnel 321-2, the selecteddata packets back to the network device, e.g., edge network device318-1, from which the second network device 318-3 originally receivedthe selected data packets. That is, logic can compare a tunnel sourceidentification, e.g., a handle field that has already been inserted intothe original packet 501, with a stored table (e.g., list) of validtunnel identification values to determine the new encapsulation 510 thatis used to return tunnel encapsulate the original packet 501. Oneexample of the determination, use, and operation of a handle field isdescribed in co-pending, commonly assigned U.S. patent application Ser.No. ______, entitled ______, by the same inventors, filed ______. Thesame is not described more fully herein so as not to obscure embodimentsof the present invention. According to various embodiments a validtunnel identification value includes at least an IP source addresswithin an encapsulation IP header 514 (IP SA from the forward tunnel321-1, becoming IP DA in the reverse tunnel 321-2). However, the validtunnel identification value may also include explicit authorizationinformation in the encapsulation IP header information 514, and possiblyalso information from the encapsulation header 512, e.g., a key field.

The network device 318-1 includes instructions and/or logic todecapsulate encapsulated packet 503 shown in FIG. 5, returned from thesecond network device 318-3. According to various embodiments, thenetwork device 318-1 includes instructions and/or logic which can sendthe original data packets, e.g., 501 in FIG. 5, to the destinationaddress, 506, of the original data packets, e.g., of original datapacket 501 in FIG. 5. That is, instructions and/or logic execute torecompose the original data packet and provide the same to normalforwarding logic on the network device 318-1 so the network packet canbe forwarded in its original format “unaware” that it has been stolen toand operated upon by the network appliance 350. The original networkpacket, 501 in FIG. 5, will act, behave, and be operated upon as if itwas just received to the network device 318-1, e.g., from client 315.One example of the restoration of the original packet properties, e.g.,physical source port (450 in FIG. 4), etc., is described in co-pending,commonly assigned U.S. patent application Ser. No. ______, entitled______, by the same inventors, filed ______. The same is not describedmore fully herein so as not to obscure embodiments of the presentinvention. Instructions and/or logic will also recognize if a givenpacket has already been checked, i.e., inspected and/or “cleared”, so asnot to return the packet to be checked once again in duplicativefashion.

In previous applications for tunneling packets, a network packet wouldbe sent through a tunnel as a part of the normal forwarding process,e.g., layer 2 (L2) bridging, or, more commonly, layer 3 (L3) routing.That is, in the case of IP routing, a next-hop route in the IP routingtable would point to a tunnel. In contrast, tunnel embodiments describedin the present disclosure are not used to form part of the normalforwarding path. That is, according to embodiments of the presentdisclosure, this ingress and egress from the tunnel are not a part ofthe regular forwarding process, and thus could be considered to be“transparent” to the network packet. Again, the original network packet,e.g., 501 in FIG. 5, will act, behave, and be operated upon as if it hadjust been received from a particular port, e.g., 320-1, on the networkdevice 318-1 from a given network client, e.g., 315.

The description above includes embodiments in which the networkappliance 350 is also unaware that the selected data packets have been“stolen” to the network appliance 350. An alternative embodimentincludes an embodiment in which the network appliance 350 is aware thatthe selected data packets have been stolen to the network appliance 350.In this embodiment the network appliance 350 can include instructionsand/or logic which can receive the tunnel encapsulated selected datapackets from the network device 318-1. In this embodiment the tunnel321-1 is not terminated on the second network device 318-3, and tunnel321-2 is not originated on the second network device 318-3, but ratherboth tunnels 321-1 and 321-2 extend to the network appliance 350.

In this embodiment instructions and/or logic on the network appliance350 can decapsulate the selected data packets to the original datapackets, e.g., 501 in FIG. 5, prior to operating thereupon, e.g.,processing. Effectively, in these embodiments, the network appliance 350can perform a secure virtualization of the location of the networkappliance 350 within the network, i.e., identify which port of whichnetwork device, e.g., 320-1, from which it is interacting and receivingselected data packets, as if it were in-line, e.g., “virtually in-line”316 in FIG. 3, between the original client 315 and the switch 318-1.Additionally, the network appliance 350 could, post processing, executeinstructions and/or logic to tunnel encapsulate original data packets501 to return tunnel, e.g., via 321-2, the selected data packets back tothe network device, e.g., edge network device 318-1, from which thenetwork appliance 350 received the selected data packets. This securevirtualization and return tunnel encapsulation requires the networkappliance 350 to maintain a switch port identification handle (e.g., IPsource address of the encapsulating IP header 514, along with keyinformation in the encapsulation header 512) with the original datapacket as it is being processed. This can allow the network appliance350 to both perform the secure virtualization, and can also be used toform a part of the encapsulation 510 of the return tunnel, i.e., thedestination IP address of the return encapsulation IP header 514.

FIG. 5 illustrates a tunnel encapsulation of a selected data packetaccording to embodiments of the present disclosure. As represented bythe illustration in FIG. 5, instructions and/or logic on a given networkdevice can receive a network packet 501 from a port on a particular,e.g., first, network device. As shown in FIG. 5, the network packet willinclude a payload 502, e.g., the data content, and header information500. As illustrated in FIG. 5 the header information 500 can include asource MAC address 504 (MAC_SA), a destination MAC address 506 (MAC_SA),and can include Ethernet type information 508, among other information.Hence, in FIG. 5, network packet 501 represents an original data packetreceived from or destined to a port on a network device from anothernetwork device and/or network client, e.g., from port 320-1 on device318-1 from client 315 as described in connection with FIG. 3. Again,selected data packets can be chosen according to a number of criteria.According to various embodiments, the number of criteria can include,the source IP address (IP SA), the source port, an IP flow (defined aspacket traffic between a particular source IP address and a particulardestination IP address), a media access controller (MAC) source address(MAC SA), a media access controller (MAC) destination address (MAC DA),the source VLAN, a traffic type, etc., in order to capture a subset ofdata packets received from or destined to any particular port, e.g.,traffic to servers, http traffic, all TCP traffic, all traffic to“off-site” addresses, all IP traffic, etc.

As described herein, embodiments include instructions and/or logic on anetwork device, e.g., chip 340-1 on device 318-1 in FIG. 3, toencapsulate the original received data packet 501 to secure tunnel thenetwork packet to a second network device having a MAC destinationaddress different from the MAC destination address of the originalreceived data packet 501. As illustrated in the embodiment of FIG. 5,the instructions and/or logic can encapsulate the original received datapacket 501 with new packet header information 510 to create tunnelencapsulated packet 503. The new packet header information 510 caninclude an encapsulation header 512, such as a generic routingencapsulation (GRE) header. Other encapsulation header 512 examplesinclude Ethernet-within-IP (RFC3378), Layer 2 Tunneling Protocol(L2TP-RFC3931), etc. The new packet header information 510 can alsoinclude an encapsulation internet protocol (IP) header 514, an Ethernettype header 516, a source MAC address 518 (MAC_SA), and a destinationMAC address 520 (MAC_DA), among other encapsulation header information.

As described herein, embodiments also include instructions and/or logicon a network chip of a network device, e.g., chip 340-3 on device 318-3,and/or software and/or logic on a network appliance, e.g., 350 in FIG.3, to decapsulate a selected network packet and to re-encapsulate theselected network packet as appropriate to send, receive, operate upon,and/or resend the selected network packet.

Accordingly, embodiments, as the same have been described herein,include instructions and/or logic which can steal a network packet toanother network device and/or network appliance, e.g., an IPS, which isnot “in-line” with an original path for the network packet in a mannerwhich is transparent to the network packet. That is, the stolen packetdoes not involve normal forwarding logic in which a network packet wouldbe “aware” of the fact that it was being placed in or had just exitedfrom a tunnel. In some embodiments, a network appliance is also unawarethat it is not in-line with the original path. In other embodiments, thenetwork appliance may be aware that the packet has been stolen andoperate in concert therewith handling a secure virtualization of thenetwork location from which the packet was stolen. The instructionsand/or logic can tunnel the network packet between network devices,e.g., via a secure tunnel. Once returned to the network device to whichthe network packet was originally received the packet will act, behave,and be operated upon as if it had just been received by the networkdevice on the original port. Instructions and/or logic will alsorecognize if a given packet has already been checked, i.e., inspectedand “cleared”, so as not to return the packet to be checked once againin duplicative fashion.

It is to be understood that the above description has been made in anillustrative fashion, and not a restrictive one. Although specificembodiments have been illustrated and described herein, those ofordinary skill in the art will appreciate that other componentarrangements and device logic can be substituted for the specificembodiments shown. The claims are intended to cover such adaptations orvariations of various embodiments of the disclosure, except to theextent limited by the prior art.

In the foregoing Detailed Description, various features are groupedtogether in a single embodiment for the purpose of streamlining thedisclosure. This method of disclosure is not to be interpreted asreflecting an intention that any claim requires more features than areexpressly recited in the claim. Rather, as the following claims reflect,inventive subject matter lies in less than all features of a singledisclosed embodiment. Thus, the following claims are hereby incorporatedinto the Detailed Description, with each claim standing on its own as aseparate embodiment of the invention.

1-20. (canceled)
 21. A network appliance comprising: logic to: receive apacket that has been tunnel encapsulated by a network device, whereinthe tunnel encapsulation caused the packet to be diverted from a path toan original destination to the network appliance by the network device;decapsulate the tunnel encapsulated packet; and process the decapsulatedpacket to determine information about the decapsulated packet.
 22. Thenetwork appliance according to claim 21, wherein the packet is to bereceived through a path in a network that is not in-line with the pathto the original destination.
 23. The network appliance according toclaim 21, wherein the logic is further to: tunnel encapsulate the packetfollowing processing of the decapsulated packet; and communicate thetunnel encapsulated packet back to the network device over a tunnel 24.The network appliance according to claim 21, wherein the logic isfurther to: process the decapsulated packet by detecting whether thedecapsulated packet comprises a suspicious packet based upon thedetermined information about the decapsulated packet.
 25. The networkappliance according to claim 21, wherein the logic is further to:process the decapsulated packet by detecting whether the decapsulatedpacket comprises an unwanted network intrusion or activity based uponthe determined information about the decapsulated packet.
 26. Thenetwork appliance according to claim 21, wherein the logic is furtherto: process the decapsulated packet by performing an accountingoperation based upon the determined information about the decapsulatedpacket.
 27. The network appliance according to claim 21, wherein thelogic is further to: process the decapsulated packet by performing adiagnostic operation based upon the determined information about thedecapsulated packet.
 28. A network, comprising: a network appliancehaving ports to receive and transmit data packets; a network devicehaving ports to receive data packets from a network client and ports totransmit data packets into the network, wherein said network device isto tunnel encapsulate selected data packets to secure tunnel theselected data packets to the network appliance instead of sending theselected data packets to an original media access control (MAC)destination address of the data packets; and wherein the networkappliance comprises logic to: receive the tunnel encapsulated packetfrom the network device; decapsulate the encapsulated packet; andprocess the decapsulated packet to determine information about thedecapsulated packet.
 29. The network according to claim 28, wherein thenetwork appliance is to receive the tunnel encapsulated packet through apath in the network that is not in-line with a path of the original MACdestination address of the data packets.
 30. The network according toclaim 28, wherein the logic is further to: tunnel encapsulate the packetfollowing performance of packet processing; and transmit the tunnelencapsulated packet back to the network device over a tunnel
 31. Thenetwork according to claim 28, wherein the logic is further to: processthe decapsulated packet by detecting whether the decapsulated packetcomprises a suspicious packet based upon the determined informationabout the decapsulated packet.
 32. The network according to claim 28,wherein the logic is further to: process the decapsulated packet bydetecting whether the decapsulated packet comprises an unwanted networkintrusion or activity based upon the determined information about thedecapsulated packet.
 33. The network according to claim 28, wherein thelogic is further to: process the decapsulated packet by performing anaccounting operation based upon the determined information about thedecapsulated packet.
 34. The network according to claim 28, wherein thelogic is further to: process the decapsulated packet by performing adiagnostic operation based upon the determined information about thedecapsulated packet.
 35. A method for processing packets, said methodcomprising: receiving, in a network appliance, a packet that has beentunnel encapsulated by a network device, wherein the tunnelencapsulation caused the packet to be diverted from a path to anoriginal destination to the network appliance by the network device, andwherein a tunnel between the network appliance and the network device isnot in-line with the path to the original destination; decapsulating theencapsulated packet; and processing, by a processor, the decapsulatedpacket to determine information about the decapsulated packet.
 36. Themethod according to claim 35, further comprising: tunnel encapsulatingthe packet following processing of the decapsulated packet; andtransmitting the tunnel encapsulated packet back to the network deviceover a tunnel
 37. The method according to claim 35, wherein processingthe decapsulated packet further comprises processing the decapsulatedpacket by detecting whether the decapsulated packet comprises asuspicious packet.
 38. The method according to claim 35, whereinprocessing the decapsulated packet further comprises processing thedecapsulated packet by detecting whether the decapsulated packetcomprises an unwanted network intrusion or activity.
 39. The methodaccording to claim 35, wherein processing the decapsulated packetfurther comprises processing the decapsulated packet by performing anaccounting operation based upon the determined information about thedecapsulated packet.
 40. The method according to claim 35, whereinprocessing the decapsulated packet further comprises processing thedecapsulated packet by performing a diagnostic operation based upon thedetermined information about the decapsulated packet.